How to disable User Accounts on Linux System

by

Introduction

As a Linux system administrator you will be required to manage user accounts. This can be done by adding or removing user logins or simply by temporarily or permanently disabling an entire account while leaving the user’s profile and files intact. This article describes a few ways on how to disable the user account in the Linux operating system.

Shadow file modification

The easiest way to disable the user account is to modify a /etc/shadow file, which is responsible for holding encrypted passwords for users listed /etc/passwd. Here is a typical user entry found in the /etc/shadow file:

tester:$6dKR$Yku3LWgJmomsynpcle9BCA:15711:0:99999:7:::

To disable the above account simply add “*” or “!” in front of the encrypted password:

tester:!$6dKR$Yku3LWgJmomsynpcle9BCA:15711:0:99999:7:::

The above can also be simply achieved by:

# usermod -L tester

Any login method, which uses the /etc/shadow file to authenticate the user, will no longer be able to decrypt the user’s password and thus not allowing him/her to login:

 $ su tester
Password: 
su: Authentication failure

To enable the user account simply remove “!” from the /etc/shadow file or use the usermod command:

# usermod -U tester

It is important to point out that this method of disabling user accounts in the Linux system is only valid for programs or commands, which use the /etc/shadow file as means to authenticate users. For example, if the user has already exchanged ssh keys he/she will still be able to login despite of your /etc/shadow file modifications.

nologin User Shell

Another and more secure way of disabling the user account in the Linux operating system is to replace the existing user login shell with some pseudo shell such as /usr/sbin/nologin. nologin will display a polite message:

This account is currently not available.

after the user’s login attempt. To achieve this, modify the /etc/password file and change the user’s entry

from:

tester:x:1001:1001:Tester,User,,:/home/tester:/bin/bash

to:

tester:x:1001:1001:Tester,User,,:/home/tester:/usr/sbin/nologin

Once done, the user will no longer be able to login even with a valid password:

$ su tester
Password: 
This account is currently not available.

Conclusion

Both above methods have their cons and pros and it is up to you to choose the best method to fit your environment. To read more about the shadow password file, nologin or usermod access their relevant manual page by:

$ man shadow
$ man usermod
$ man nologin

Related Linux Tutorials:

Comments and Discussions
Linux Forum